The Importance of Penetration Testing for PCI DSS Compliance

The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted information security standard intended to optimise the security of credit and debit card transactions. It is mandated by all the major card brands but implemented by the Payment Card Industry Security Standards Council.

This standard was put in place to protect cardholders against misuse of their personal information. All companies who accept credit or debit card payments, store, process or transmit cardholder data or sensitive authentication data need to comply with the PCI DSS.

Websites or merchants who have subcontracted all their payment activities to a third party need to ensure that all contracted parties comply with the PCI DSS requirements.

Why is Penetration Testing important for PCI DSS Compliance?

In order to comply with the PCI DSS, the Payment Card Industry Security Standards Council (PCI SSC) set out a number of requirements organisations need to adhere to, you can read all of these requirements here. Some of these requirements which we will look at below touch on the importance of both Vulnerability Scans and in-depth Penetration Tests

PCI DSS Requirement 6.6

Requirement 6.6 states that any public-facing applications new threats and vulnerabilities should be addressed on an ongoing basis. As such applications can be primary targets for attackers, the requirement to carry out regular reviews of such applications is intended to reduce the number of vulnerabilities.

Establishing, a Vulnerability Scan routine can assist with meeting this requirement. These scans can be automated, however, we at Secora Consulting believe in going beyond automated scanning. Our Vulnerability Assessment services are led by our industry-leading consultants. We manually verify all our findings to remove false positives and provide your organisation with peace of mind while ensuring any remediation work carried out will directly improve your overall security. On top of this, we provide you with a detailed analysis of how any issues identified will directly affect your organisation.

PCI DSS Requirements 11.3.1 & 11.3.2

Requirements 11.3.1 and 11.3.2 state that you must perform external and internal penetration testing at least annually and after any significant infrastructure or application modification to adhere to the PCI DSS. The reason for these requirements is that Penetration Testing conducted on a regular basis and after any significant changes is a proactive security measure that will help organisations minimise the potential access to the Card Data Environment (CDE) by malicious software or individuals.

Having a Penetration Test carried out by an external third party provides a high level of impartiality to the test. It also allows the internal and external networks to be viewed by a ‘fresh pair of eyes’ which may uncover vulnerabilities that may otherwise be overlooked.

At Secora Consulting, our infrastructure penetration testing is a comprehensive way to evaluate your internal and external networks, identify vulnerabilities and assess the impact such attacks could have on your business.

We will provide a comprehensive and systematic approach, utilising realistic attack vectors your organisation might be subjected to, in order to determine how a malicious attacker could compromise the network and ultimately gain access to the Card Data Environment (CDE)

If you are currently preparing for an upcoming PCI DSS audit or looking to implement a vulnerability assessment routine, get in touch.

Our team is available on email at info@secoraconsulting.com or over the phone on +353-74-970-7876, and we are happy to assist you with your PCI DSS compliance or any other compliance projects you may have.